[CONJ-926] Client restrict authentication plugin to a limited set of authentication plugin and doesn't permit requested plugin ('caching_sha2_password') Created: 2022-02-08  Updated: 2022-02-10  Resolved: 2022-02-10

Status: Closed
Project: MariaDB Connector/J
Component/s: configuration
Affects Version/s: 3.0.3
Fix Version/s: 3.0.4

Type: Bug Priority: Major
Reporter: Agostino Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None
Environment:

Rocky Linux 8


 Description   

Hello, we have updated our connectorJ to 3.0.3 and we face this issue when we try to access to our web application:

java.sql.SQLException: Client restrict authentication plugin to a limited set of authentication plugin and doesn't permit requested plugin ('caching_sha2_password'). Current list is `restrictedAuth=mysql_native_password,client_ed25519,auth_gssapi_client`
 
        at org.mariadb.jdbc.plugin.authentication.AuthenticationPluginLoader.get(AuthenticationPluginLoader.java:41)
 
        at org.mariadb.jdbc.client.impl.ConnectionHelper.authenticationHandler(ConnectionHelper.java:286)
 
        at org.mariadb.jdbc.client.impl.StandardClient.<init>(StandardClient.java:188)
 
        at org.mariadb.jdbc.Driver.connect(Driver.java:64)
 
        at org.mariadb.jdbc.Driver.connect(Driver.java:83)
 
        at org.mariadb.jdbc.Driver.connect(Driver.java:27)
 
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
 
        at java.sql.DriverManager.getConnection(DriverManager.java:270)
 
        at it.loway.tpf.SQL.openConnection(SQL.java:62)
 
        at it.loway.tpf.transaction.servlets.LowayTransactionController.processClassicSynchronizedRequest(LowayTransactionController.java:492)
 
        at it.loway.tpf.transaction.servlets.LowayTransactionController.serveRequest(LowayTransactionController.java:367)
 
        at it.loway.tpf.transaction.servlets.LowayTransactionController.serveRequestWrapper(LowayTransactionController.java:262)
 
        at it.loway.tpf.transaction.servlets.LowayTransactionController.doGet(LowayTransactionController.java:84)
 
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
 
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
 
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
 
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
 
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
 
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
 
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
 
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
 
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
 
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
 
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
 
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
 
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
 
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
 
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
 
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
 
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
 
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
 
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 
        at java.lang.Thread.run(Thread.java:750)
 
-- End Inner Exception --

The strangeness is that if we are going to initialize the database, it works. Is there anything we can do to help debug the issue?

Database version:

~ # rpm -qa | grep mysql
 
mysql-common-8.0.26-1.module+el8.4.0+652+6de068a7.x86_64
 
mysql-8.0.26-1.module+el8.4.0+652+6de068a7.x86_64
 
mysql-server-8.0.26-1.module+el8.4.0+652+6de068a7.x86_64
 
mysql-errmsg-8.0.26-1.module+el8.4.0+652+6de068a7.x86_64



 Comments   
Comment by Diego Dupin [ 2022-02-08 ]

There is an bug in https://jira.mariadb.org/browse/CONJ-872 implementation.
Default is normally to no restriction, but current implementation restrict authentication plugins to "mysql_native_password,client_ed25519,auth_gssapi_client"

workaround until correction is to set explicitly set option 'restrictedAuth' with plugins, like

 'jdbc:mariadb://host/db?restrictedAuth=mysql_native_password,client_ed25519,auth_gssapi_client,caching_sha2_password,dialog,mysql_clear_password'

Comment by Agostino [ 2022-02-09 ]

I can bypass the error with your suggestion, however I'm stumbling into another one:

Exception: java.sql.SQLException - Error: - Client does not support authentication protocol requested by server. plugin type was = 'sha256_password'

Comment by Agostino [ 2022-02-09 ]

I realized I've missed some info, this is our connection string:

jdbc:mariadb://127.0.0.1/DATABASE?user=USER&password=PASSWORD&sessionVariables=sql_mode=''&autoReconnect=true&allowPublicKeyRetrieval=true&restrictedAuth=mysql_native_password,client_ed25519,auth_gssapi_client,caching_sha2_password,sha256_password,mysql_clear_password

So we added sha256_password into the connection string. It appears to work on Rocky Linux 8 but it doesn't on CentOS Stream 8, here is the list of mysql server packages:

~ # rpm -qa | grep mysql
 
mysql-server-8.0.26-1.module_el8.4.0+915+de215114.x86_64
 
mysql-common-8.0.26-1.module_el8.4.0+915+de215114.x86_64
 
mysql-errmsg-8.0.26-1.module_el8.4.0+915+de215114.x86_64
 
mysql-8.0.26-1.module_el8.4.0+915+de215114.x86_64

Comment by Diego Dupin [ 2022-02-10 ]

corrected in 3.0.4.
available through snapshot :

 
 
<repositories>
 
    <repository>
 
        <id>sonatype-nexus-snapshots</id>
 
        <name>Sonatype Nexus Snapshots</name>
 
        <url>https://oss.sonatype.org/content/repositories/snapshots</url>
 
    </repository>
 
</repositories>
 
 
<dependencies>
 
    <dependency>
 
        <groupId>org.mariadb.jdbc</groupId>
 
        <artifactId>mariadb-java-client</artifactId>
 
        <version>3.0.4-SNAPSHOT</version>
 
    </dependency>
 
</dependencies>

Generated at Thu Feb 08 03:19:20 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.